b"September 2005\nReport No. 05-033\n\n\nResponse to Privacy Program\nInformation Request in OMB\xe2\x80\x99s Fiscal\nYear 2005 Reporting Instructions for\nFISMA and Agency Privacy Management\n\n\n\n\n             AUDIT REPORT\n\x0c                                                                                     Report No. 05-033\n                                                                                     September 2005\n\n\n\n                                     Response to Privacy Program Information\n                                     Request in OMB\xe2\x80\x99s Fiscal Year 2005 Reporting\n                                     Instructions for FISMA and Agency Privacy\n                                     Management\nBackground and Purpose\nof Audit                             Results of Audit\nA number of federal statutes,\n                                     The FDIC has taken a number of actions to protect information in an\npolicies, and guidelines are aimed\nat protecting information in an      identifiable form (IIF) since the passage of the Privacy Act of 1974.\nidentifiable form from               Such actions include establishing corporate policies and procedures to\nunauthorized use, access,            safeguard IIF, identifying corporate Privacy Act systems of record that\ndisclosure, or sharing and           contain IIF and publishing related notices in the Federal Register, and\nprotecting associated information    posting a privacy statement on the FDIC\xe2\x80\x99s public Web site.\nsystems from unauthorized            Additionally, control improvements were underway at the time of our\naccess, modification, disruption,    audit. These included appointing a Chief Privacy Officer and Privacy\nor destruction. Key federal          Program Manager to oversee and implement the Corporation\xe2\x80\x99s privacy\nstatutes include the Privacy Act     program and implementing a privacy Web site to promote awareness\nof 1974, section 208 of the          among employees and contractor personnel regarding privacy\nE-Government Act of 2002, and\n                                     requirements, policies, and practices. In addition, the FDIC\nsection 522 of the Transportation,\nTreasury, Independent Agencies,      strengthened controls over IIF in hardcopy format by providing\nand General Government               additional shredding bins throughout its headquarters offices to\nAppropriations Act, 2005.            securely dispose of sensitive data.\n\nThis audit was conducted in          The above actions were positive; however, the FDIC needed to\nresponse to a request for privacy    complete a number of ongoing initiatives to ensure adequate protection\nprogram information contained in     of employee IIF and compliance with federal privacy-related statutes,\nthe Office of Management and         policies, and guidelines. Specifically, the FDIC needed to complete\nBudget\xe2\x80\x99s (OMB) June 13, 2005         ongoing efforts to:\nmemorandum entitled, FY 2005\nReporting Instructions for the\nFederal Information Security\n                                        \xe2\x80\xa2   identify all FDIC-maintained IIF and take appropriate actions to\nManagement Act and Agency                   ensure this information is properly protected;\nPrivacy Management.                     \xe2\x80\xa2   review privacy policies and procedures to ensure they are\n                                            current, comprehensive, and complete; and\nThe objective of the audit was to       \xe2\x80\xa2   implement a corporate-wide training and education program,\ndetermine the current status of\n                                            including job-specific training where appropriate.\nthe FDIC\xe2\x80\x99s efforts to implement a\ncorporate-wide privacy\nmanagement program.                  The FDIC also needed to execute contractor confidentiality agreements\n                                     as prescribed by FDIC policy.\n\n                                     We made no recommendations in this report because the FDIC is\n                                     taking steps to establish a comprehensive privacy program.\n\n\n\n\nTo view the full report, go to\nwww.fdicig.gov/2005reports.asp\n\x0cFederal Deposit Insurance Corporation                                                                            Office of Audits\n801 17th Street NW, Washington, DC 20434                                                            Office of Inspector General\n\n\nDATE:                               September 16, 2005\n\nMEMORANDUM TO:                      Michael E. Bartell, Chief Privacy Officer and\n                                    Director, Division of Information Technology\n\n\n\n\nFROM:                               Russell A. Rau\n                                    Assistant Inspector General for Audits\n\nSUBJECT:                            Response to Privacy Program Information Request in OMB\xe2\x80\x99s\n                                    Fiscal Year 2005 Reporting Instructions for FISMA and Agency\n                                    Privacy Management\n                                    (Report No. 05-033)\n\n\nThe Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has\ncompleted an audit of the status of the FDIC\xe2\x80\x99s privacy program and related activities. This audit\nwas conducted in response to a request for privacy program information contained in the Office of\nManagement and Budget\xe2\x80\x99s (OMB) June 13, 2005 memorandum entitled, FY 2005 Reporting\nInstructions for the Federal Information Security Management Act and Agency Privacy\nManagement. We are providing the results of this audit to you in your capacity as the FDIC\xe2\x80\x99s Chief\nPrivacy Officer (CPO). The objective of the audit was to determine the current status of the FDIC\xe2\x80\x99s\nefforts to implement a corporate-wide privacy management program. We are providing you our\nresponses to specific security-related questions in the referenced OMB memorandum, along with\nour independent security evaluation report required by the Federal Information Security\nManagement Act of 2002 (FISMA) under separate cover.1\n\nBACKGROUND\n\nA number of federal statutes, policies, and guidelines are aimed at protecting information in an\nidentifiable form (IIF)2 from unauthorized use, access, disclosure, or sharing and associated\ninformation systems from unauthorized access, modification, disruption, or destruction. A brief\ndescription of key privacy-related statutes, policies, and guidelines and their applicability to the\nFDIC follows.\n\n\n1\n    Responses to Security-Related Questions Raised in OMB\xe2\x80\x99s Fiscal Year 2005 Reporting Instructions for FISMA and\n    Agency Privacy Management (Report No. 05-034), dated September 16, 2005; and Independent Evaluation of the\n    FDIC\xe2\x80\x99s Information Security Program-2005 (Report No. 05-040), scheduled for issuance on September 30, 2005.\n2\n    OMB defines \xe2\x80\x9cinformation in an identifiable form\xe2\x80\x9d as information in a system or on-line collection that directly\n    identifies an individual (e.g., name, address, social security number (SSN) or other identifying code, telephone\n    number, e-mail address, etc.) or by which an agency intends to identify specific individuals in conjunction with other\n    data elements.\n\x0c      \xe2\x80\xa2    The Privacy Act of 1974 imposes various requirements on federal agencies whenever they\n           collect, create, maintain, and distribute records (as defined in the Act, and regardless of\n           whether they are in hardcopy or electronic format) that can be retrieved by the name of an\n           individual or other identifier. One of these requirements is to publish notices in the Federal\n           Register that include information such as the categories of records maintained in the agency\n           systems, the routine uses of the records, and the manner in which individuals may access the\n           information. As a federal agency for this purpose, the FDIC is subject to the requirements\n           of the Act.\n      \xe2\x80\xa2    The E-Government Act of 2002, section 208, requires agencies to (1) conduct privacy\n           impact assessments (PIA) of information systems and collections and, in general, make\n           PIAs publicly available; (2) post privacy policies on agency Web sites used by the public;\n           (3) translate privacy policies into a machine-readable format; and (4) report annually to the\n           OMB on compliance with section 208. The FDIC has determined that section 208 applies\n           to the Corporation.\n      \xe2\x80\xa2    Section 522 of the Transportation, Treasury, Independent Agencies, and General\n           Government Appropriations Act, 20053 requires, among other things, that agencies\n           protect IIF, designate a CPO, conduct PIAs under appropriate circumstances, report to the\n           Congress and agency IG on privacy matters, and provide training to employees on privacy\n           and data protection policies. Section 522 also requires that every 2 years, the agency IG\n           contract with an independent third party to conduct a review of the agency\xe2\x80\x99s privacy\n           program and practices and that the IG issue a report based on that review. Agencies must\n           establish comprehensive privacy and data protection procedures by December 2005. The\n           FDIC has determined that section 522 applies to the Corporation.\n      \xe2\x80\xa2    OMB Circular No. A-130, Management of Federal Information Resources, Appendix I,\n           Federal Agency Responsibilities for Maintaining Records About Individuals, describes\n           agency responsibilities for implementing the reporting and publication requirements of the\n           Privacy Act of 1974. The FDIC has determined that OMB Circular No. A-130, Appendix I,\n           applies to the Corporation and has designated a senior agency official for privacy as\n           discussed below. Subsequent OMB policy4 provides additional information regarding\n           agency responsibilities for designating a senior agency official for privacy, conducting PIAs,\n           developing privacy policies for Web sites, providing privacy education to employees and\n           contractor personnel, and reporting privacy activities.\n\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of the audit was to determine the current status of the FDIC\xe2\x80\x99s efforts to implement a\ncorporate-wide privacy management program. To accomplish our objective, we relied on\nprofessional services provided by KPMG LLP (KPMG). KPMG\xe2\x80\x99s work included interviewing key\nFDIC officials with privacy responsibilities; reviewing relevant FDIC policies, procedures and\ndocumentation; and performing other appropriate audit procedures. As part of our oversight of\n\n3\n    This Act is division H of the Consolidated Appropriations Act, 2005, Public Law No. 108-447.\n4\n    Such policy includes OMB Memorandums M-03-22, OMB Guidance for Implementing the Privacy Provisions of the\n     E-Government Act of 2002, and M-05-08, Designation of Senior Agency Officials for Privacy.\n\n\n\n                                                        2\n\x0cKPMG, we evaluated the nature, timing, and extent of work described in its evaluation program,\nobtained an understanding of KPMG\xe2\x80\x99s methodologies and assumptions, attended key meetings,\nmonitored progress throughout the evaluation, and performed other procedures we deemed\nnecessary. In this manner, we were assured that KPMG's work complied with generally accepted\ngovernment auditing standards (GAGAS).\n\nThe limited nature of our work did not require that we separately perform procedures to review\nprogram performance measures, assess the FDIC\xe2\x80\x99s compliance with laws and regulations, evaluate\nthe FDIC\xe2\x80\x99s internal control, or assure ourselves that computer-based data were valid and reliable. In\naddition, we did not design specific audit procedures to detect fraud; however, throughout our work,\nwe were sensitive to the potential for fraud, waste, abuse, and mismanagement. We performed our\nwork at the FDIC's headquarters offices in Washington, D.C., and Arlington, Virginia, during the\nperiod July through August 2005. On September 14, 2005, the FDIC Privacy Program Manager\nprovided updated information regarding progress on the FDIC\xe2\x80\x99s privacy program, which we\nincluded in the report. We conducted our work in accordance with GAGAS.\n\n\nSTATUS OF THE FDIC\xe2\x80\x99S PRIVACY PROGRAM AND PRACTICES\n\nThe FDIC has taken a number of actions to protect IIF since the passage of the Privacy Act of 1974.\nSuch actions include establishing corporate policies and procedures to safeguard IIF, identifying\ncorporate Privacy Act systems of record that contain IIF and publishing related system of record\nnotices in the Federal Register, and posting a privacy statement on the FDIC\xe2\x80\x99s public Web site. In\naddition, the OIG has conducted reviews of, and reported on, the FDIC\xe2\x80\x99s privacy program practices\nin recent years.5 These reviews have focused on the FDIC\xe2\x80\x99s efforts to safeguard employee IIF;\ncontrol the use of SSN information for non-employees (such as depositors, debtors, and loan\nguarantors); and ensure the adequacy of privacy and security disclosure statements on the\nCorporation\xe2\x80\x99s Web sites. Generally, these reviews concluded that the FDIC had taken measures to\nsafeguard IIF, but that important control improvements were needed. Finally, the OIG performed\nan annual independent evaluation of the FDIC\xe2\x80\x99s information security program as required by\nFISMA that included determining whether the FDIC had implemented controls that maintain\nappropriate confidentiality of information resources.\n\nThe FDIC has taken recent action to strengthen its privacy program and practices, and additional\ncontrol improvements were underway at the time of our audit. In March 2005, in response to\npassage of section 522, the FDIC appointed a senior official, the Director, Division of Information\nTechnology (DIT), as the FDIC\xe2\x80\x99s CPO with overall responsibility for the Corporation\xe2\x80\x99s privacy\nprogram. The Director was also designated as the senior agency official for privacy in accordance\nwith OMB policy. The FDIC also designated a Privacy Program Manager in April 2005 to support\nthe CPO in developing and implementing corporate privacy requirements. In addition, the FDIC\nimplemented a privacy Web site to promote awareness among FDIC employees and contractor\npersonnel regarding privacy requirements, policies, and practices. In September 2005, a public Web\n\n5\n    Reports entitled, FDIC\xe2\x80\x99s Privacy and Security Notices-Requirements and Policy Statements on the Internet and\n    Intranet, dated May 19, 2000 (Report No. 00-004); FDIC\xe2\x80\x99s Information Handling Practices for Sensitive Employee\n    Data, dated October 11, 2000 (Report No. 00-006); and Control Over the Use and Protection of Social Security\n    Numbers by Federal Agencies, dated February 14, 2003 (Report No. 03-012).\n\n\n\n                                                          3\n\x0csite was launched to provide information regarding the Privacy Act and privacy policies of the\nFDIC. The Web site includes information about employee responsibilities, disclosure procedures,\nprivacy program contacts, and PIAs. Further, the FDIC strengthened controls over IIF in hardcopy\nformat by providing additional shredding bins throughout its headquarters offices to securely\ndispose of sensitive data. These actions were positive; however, the FDIC needed to complete a\nnumber of ongoing initiatives to ensure adequate protection of employee IIF and compliance with\nfederal privacy-related statutes, policies, and guidelines. A brief summary of the FDIC\xe2\x80\x99s key\nprivacy initiatives follows.\n\n   \xe2\x80\xa2   Identifying FDIC-maintained IIF. DIT personnel performed a preliminary assessment of\n       the FDIC\xe2\x80\x99s major information systems during our audit to determine which systems process\n       SSNs. Based on the results of the assessment, DIT will determine whether controls in the\n       major information systems sufficiently protect employee SSNs and will take any needed\n       corrective action. In addition, DIT, together with the FDIC\xe2\x80\x99s divisions and offices, recently\n       initiated a corporate effort to identify SSNs maintained in electronic and hardcopy format\n       outside of the FDIC\xe2\x80\x99s major information systems. Such SSN data may be stored or\n       processed by organizational units in locally maintained systems, databases, spreadsheets,\n       and documentation. Following the completion of this corporate-wide analysis, the FDIC\n       plans to take appropriate steps to ensure that all FDIC-maintained SSN data is adequately\n       protected.\n\n   \xe2\x80\xa2   Policies and Procedures. In December 2004, the FDIC modified its Standard Operating\n       Procedures for Processing Sensitivity Assessment Questionnaires to include privacy\n       considerations. The FDIC plans to apply these revised procedures to all of its applications\n       over the next several years. The FDIC also developed a PIA guide and template for\n       preparing PIAs in July 2005. At the time of our audit, the FDIC had completed a PIA on\n       only 1 (the Corporate Human Resources Information System) of the 26 information systems\n       that DIT had identified as containing SSNs and was working to complete PIAs on the\n       remaining information systems. The Privacy Program Manager advised us that PIAs had\n       been completed on 25 of 26 information systems as of September 14, 2005 and that the\n       FDIC was working to complete a PIA on the remaining information system. The FDIC may\n       need to complete or amend and publish, as necessary, PIAs or Privacy Act based on the\n       results of its efforts to identify SSNs maintained throughout the Corporation. Additionally,\n       according to the Privacy Program Manager, the CIO Council is reviewing a proposed\n       modification to its charter to add a privacy advisory role to provide a forum for privacy\n       issues. The FDIC is continuing to review its privacy policies and procedures to ensure they\n       are current, comprehensive, and complete. Where additional or revised procedures are\n       needed, the FDIC plans to take appropriate corrective action.\n\n   \xe2\x80\xa2   Training. The FDIC is working to develop a corporate-wide training and education\n       program to increase employee and contractor awareness of their responsibilities regarding\n       the protection of IIF. To comply with federal privacy policy, the FDIC will need to provide\n       individuals in trusted roles with job-specific training. According to the Privacy Program\n       Manager, privacy training was held for members of the CIO Council on September 6, 2005.\n       Privacy training is planned for members of the Operating Committee in October 2005.\n       Also, the FDIC plans to begin mandatory privacy training for all employees and contractors\n\n\n\n\n                                                 4\n\x0c        during the week of September 19, 2005. Finally, FDIC information security managers for\n        three major information systems stated that they were modifying their application-specific\n        security training to address privacy.\n\n    \xe2\x80\xa2   Privacy Reviews and Evaluations. The FDIC\xe2\x80\x99s Privacy Program Manager stated that the\n        FDIC had reviewed its corporate documentation and contracts in the prior fiscal year as\n        required by OMB Circular No. A-130, Appendix I. These reviews included determining\n        compliance with specific provisions of the Privacy Act of 1974. However, during our audit,\n        the FDIC was in the process of documenting the results of these reviews. Subsequent to our\n        fieldwork, the Privacy Program Manager informed us that these reviews had been\n        completed and documented. In addition, section 522 requires the FDIC to prepare several\n        reports and reviews. For example, the CPO must conduct PIAs of systems containing IIF\n        and prepare a report to the Congress annually on the activities that affect privacy. Also, a\n        written report of the FDIC\xe2\x80\x99s use of IIF along with its privacy and data protection policies\n        and procedures is required to be recorded with the IG to serve as a benchmark for the\n        agency. Finally, section 522 requires the FDIC to perform an independent third-party\n        review of the privacy and data protection procedures of the agency. This review will be\n        performed through the OIG and includes, among other things, ensuring that all technologies\n        for collecting, using, storing, and disclosing information allow for continuous auditing of\n        compliance with privacy policies and practices.\n\nAs reported in our independent security evaluation required by FISMA, FDIC contractor personnel\nwere not routinely executing confidentiality agreements as prescribed by FDIC contracting policy\nand information technology (IT) service contracts. The FDIC\xe2\x80\x99s standard IT service contract\nlanguage requires contractors, subcontractors, and their employees to sign confidentiality\nagreements. Confidentiality agreements are designed to hold contractor personnel accountable for\nmaintaining the confidentiality of FDIC information, data, and systems provided under a contract.\nWe found that oversight managers and contract specialists generally were not obtaining the\nagreements from the contractor and contract personnel.\n\nPrivacy has been and continues to be of significant concern to the public and the Congress. Recent\nreports of unauthorized disclosure of IIF in the financial services industry, as well as a recent report\nof unauthorized access to IIF on a large number of current and former FDIC employees, highlight\nthe criticality of an effective and comprehensive privacy management program. The OIG will\ncontinue to work with the Corporation throughout the coming year to ensure that appropriate\nprivacy controls are in place to safeguard all the FDIC\xe2\x80\x99s IIF. We made no recommendations in this\nreport because the FDIC is taking steps to establish a comprehensive privacy program.\n\n\n\n\n                                                   5\n\x0c"